From 37bc451741028259ee4cb02fa2c4ab19a4ec2bd6 Mon Sep 17 00:00:00 2001
From: Tony Wang <tony@initialcommit.net>
Date: Wed, 7 Oct 2020 12:22:24 +0800
Subject: [PATCH] Remove plaintext Fever password from database

---
 database/migration.go              |  2 +-
 database/sql.go                    |  3 +++
 database/sql/schema_version_39.sql |  1 +
 model/integration.go               |  1 -
 storage/integration.go             | 32 +++++++++++++-----------------
 ui/form/integration.go             |  1 -
 ui/integration_show.go             |  1 -
 ui/integration_update.go           |  6 ++++--
 8 files changed, 23 insertions(+), 24 deletions(-)
 create mode 100644 database/sql/schema_version_39.sql

diff --git a/database/migration.go b/database/migration.go
index 9838442e..8c793393 100644
--- a/database/migration.go
+++ b/database/migration.go
@@ -12,7 +12,7 @@ import (
 	"miniflux.app/logger"
 )
 
-const schemaVersion = 38
+const schemaVersion = 39
 
 // Migrate executes database migrations.
 func Migrate(db *sql.DB) {
diff --git a/database/sql.go b/database/sql.go
index 50fae493..52265815 100644
--- a/database/sql.go
+++ b/database/sql.go
@@ -192,6 +192,8 @@ create index entries_user_feed_idx on entries (user_id, feed_id);
 	"schema_version_36": `CREATE INDEX entries_feed_id_status_hash_idx ON entries USING btree (feed_id, status, hash);`,
 	"schema_version_37": `CREATE INDEX entries_user_id_status_starred_idx ON entries (user_id, status, starred);`,
 	"schema_version_38": `alter table users add column entry_swipe boolean default 't';
+`,
+	"schema_version_39": `ALTER TABLE integrations DROP COLUMN fever_password;
 `,
 	"schema_version_4": `create type entry_sorting_direction as enum('asc', 'desc');
 alter table users add column entry_direction entry_sorting_direction default 'asc';
@@ -254,6 +256,7 @@ var SqlMapChecksums = map[string]string{
 	"schema_version_36": "8164be7818268ad3d4bdcad03a7868b58e32b27cde9b4f056cd82f7b182a0722",
 	"schema_version_37": "fc9eb1b452341664ddf24c1a9cf01502ac2578136e54a4853081652959285cb9",
 	"schema_version_38": "e91d2f4075ceb7b8a16a25f350f36dee12cfd1ad86b8b6414c4cf2e9a003358c",
+	"schema_version_39": "b0f90b97502921d4681a07c64d180a91a0b4ccac7d3c1dbe30519ad6f1bf1737",
 	"schema_version_4":  "216ea3a7d3e1704e40c797b5dc47456517c27dbb6ca98bf88812f4f63d74b5d9",
 	"schema_version_5":  "46397e2f5f2c82116786127e9f6a403e975b14d2ca7b652a48cd1ba843e6a27c",
 	"schema_version_6":  "9d05b4fb223f0e60efc716add5048b0ca9c37511cf2041721e20505d6d798ce4",
diff --git a/database/sql/schema_version_39.sql b/database/sql/schema_version_39.sql
new file mode 100644
index 00000000..a7148f7c
--- /dev/null
+++ b/database/sql/schema_version_39.sql
@@ -0,0 +1 @@
+ALTER TABLE integrations DROP COLUMN fever_password;
diff --git a/model/integration.go b/model/integration.go
index 9fc5696a..528859f5 100644
--- a/model/integration.go
+++ b/model/integration.go
@@ -16,7 +16,6 @@ type Integration struct {
 	InstapaperPassword   string
 	FeverEnabled         bool
 	FeverUsername        string
-	FeverPassword        string
 	FeverToken           string
 	WallabagEnabled      bool
 	WallabagURL          string
diff --git a/storage/integration.go b/storage/integration.go
index e9653d3d..dab8b1ee 100644
--- a/storage/integration.go
+++ b/storage/integration.go
@@ -56,7 +56,6 @@ func (s *Storage) Integration(userID int64) (*model.Integration, error) {
 			instapaper_password,
 			fever_enabled,
 			fever_username,
-			fever_password,
 			fever_token,
 			wallabag_enabled,
 			wallabag_url,
@@ -87,7 +86,6 @@ func (s *Storage) Integration(userID int64) (*model.Integration, error) {
 		&integration.InstapaperPassword,
 		&integration.FeverEnabled,
 		&integration.FeverUsername,
-		&integration.FeverPassword,
 		&integration.FeverToken,
 		&integration.WallabagEnabled,
 		&integration.WallabagURL,
@@ -127,22 +125,21 @@ func (s *Storage) UpdateIntegration(integration *model.Integration) error {
 			instapaper_password=$7,
 			fever_enabled=$8,
 			fever_username=$9,
-			fever_password=$10,
-			fever_token=$11,
-			wallabag_enabled=$12,
-			wallabag_url=$13,
-			wallabag_client_id=$14,
-			wallabag_client_secret=$15,
-			wallabag_username=$16,
-			wallabag_password=$17,
-			nunux_keeper_enabled=$18,
-			nunux_keeper_url=$19,
-			nunux_keeper_api_key=$20,
-			pocket_enabled=$21,
-			pocket_access_token=$22,
-			pocket_consumer_key=$23
+			fever_token=$10,
+			wallabag_enabled=$11,
+			wallabag_url=$12,
+			wallabag_client_id=$13,
+			wallabag_client_secret=$14,
+			wallabag_username=$15,
+			wallabag_password=$16,
+			nunux_keeper_enabled=$17,
+			nunux_keeper_url=$18,
+			nunux_keeper_api_key=$19,
+			pocket_enabled=$20,
+			pocket_access_token=$21,
+			pocket_consumer_key=$22
 		WHERE
-			user_id=$24
+			user_id=$23
 	`
 	_, err := s.db.Exec(
 		query,
@@ -155,7 +152,6 @@ func (s *Storage) UpdateIntegration(integration *model.Integration) error {
 		integration.InstapaperPassword,
 		integration.FeverEnabled,
 		integration.FeverUsername,
-		integration.FeverPassword,
 		integration.FeverToken,
 		integration.WallabagEnabled,
 		integration.WallabagURL,
diff --git a/ui/form/integration.go b/ui/form/integration.go
index 77e0295f..22cbc533 100644
--- a/ui/form/integration.go
+++ b/ui/form/integration.go
@@ -47,7 +47,6 @@ func (i IntegrationForm) Merge(integration *model.Integration) {
 	integration.InstapaperPassword = i.InstapaperPassword
 	integration.FeverEnabled = i.FeverEnabled
 	integration.FeverUsername = i.FeverUsername
-	integration.FeverPassword = i.FeverPassword
 	integration.WallabagEnabled = i.WallabagEnabled
 	integration.WallabagURL = i.WallabagURL
 	integration.WallabagClientID = i.WallabagClientID
diff --git a/ui/integration_show.go b/ui/integration_show.go
index 03d71e17..72615839 100644
--- a/ui/integration_show.go
+++ b/ui/integration_show.go
@@ -38,7 +38,6 @@ func (h *handler) showIntegrationPage(w http.ResponseWriter, r *http.Request) {
 		InstapaperPassword:   integration.InstapaperPassword,
 		FeverEnabled:         integration.FeverEnabled,
 		FeverUsername:        integration.FeverUsername,
-		FeverPassword:        integration.FeverPassword,
 		WallabagEnabled:      integration.WallabagEnabled,
 		WallabagURL:          integration.WallabagURL,
 		WallabagClientID:     integration.WallabagClientID,
diff --git a/ui/integration_update.go b/ui/integration_update.go
index 16fdb0f3..251ce9e0 100644
--- a/ui/integration_update.go
+++ b/ui/integration_update.go
@@ -9,8 +9,8 @@ import (
 	"fmt"
 	"net/http"
 
-	"miniflux.app/http/response/html"
 	"miniflux.app/http/request"
+	"miniflux.app/http/response/html"
 	"miniflux.app/http/route"
 	"miniflux.app/locale"
 	"miniflux.app/ui/form"
@@ -42,7 +42,9 @@ func (h *handler) updateIntegration(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if integration.FeverEnabled {
-		integration.FeverToken = fmt.Sprintf("%x", md5.Sum([]byte(integration.FeverUsername+":"+integration.FeverPassword)))
+		if integrationForm.FeverPassword != "" {
+			integration.FeverToken = fmt.Sprintf("%x", md5.Sum([]byte(integration.FeverUsername+":"+integrationForm.FeverPassword)))
+		}
 	} else {
 		integration.FeverToken = ""
 	}